deny access to OU

[johncglro]

hello,
can someone help me, please!?
I need to restrict a delegated OU user to view other OUs. In Windows ican control this with security tab, but in zentyal i'm in dark. Any ideas?

[christian]

That's an interesting question as this may apply to the 2 different LDAP servers.
The idea for Zentyal LDAP is to apply ACL but:
- Zentyal interface doesn't offer, out-of-the-box ACL management interface
- for OpenLDAP, this most likely mean to apply hooks (I never look at this again this eBox  )
For Samba 4, if I understand well, this is done using samba-tool

[johncglro]

Currently i am using RSAT tools to manage the directory.

[peterpugh]

http://rofi.roger-ferrer.org/eiciel/

But not really sure what you mean as there isn't a delegation model in zentyal

[johncglro]

i can delegate control of an OU to a specific user using Active directory users and computers. Give it a try. 

[peterpugh]

I know but as Christian says in Zentyal it doesn't exist.

With the link and Nautilus you can change file ACL's through Zentyal.

Still trying to work out why we have the file manager we do.

Sorry about being no help

[johncglro]

i've attached the differences that i see in AD UC to know what i'm reffering at. How can i control security at the OU level?

[peterpugh]

Your doing it the right way. Its not very intuitive and also there is a filter on the ldap so many of the built in Samba roles are not displayed like administrator.

If you search the forum its part of the /etc/zentyal config files where the filter is.

To be honest I am confused to the whole purpose and construction of the Zentyal GPO editor.

Create and add GPO's and users with Zentyal but use RSAT to modify the policies.

I have been a little scared to stray from the default as I have broken things several times.

[johncglro]

well, another big question: how can i edit GPO with RSAT because i saw that i cannot edit them from zentyal interface or maybe i didn't know where to find them. I find in zentyal interface only the section where i can upload scripts and that's all.
So, from your information i need to edit manually /etc/zentyal config files for access deny to other OUs? Thank you!

[peterpugh]

Sorry John.

I have been a bit of a critic of the operation of the Zental users and group manager.

Currently there is another LDAP on 390 and this gives a Heterogeneous environment of M$ and linux clients.

It hasn't worked very well and I think the s4sync and ldap on 390 is going to be scrapped.

Zentyal just doesn't have a delegation mode for users. Fullstop.

The accounts operator account in Zentyal doesn't exist and I think its just hidden by the filter I mentioned.

When I first came across the zentyal user and group manager I thought sod that I will just use RSAT.

Then I killed a server by just doing something simple like removing a policy link.

I am not really sure but unfortunately I don't think anyone is really sure.

You will just have to wait until the Zentyal delegated model is implemented or hope by using RSAT that it doesn't kill anything.

In rsat create a batch script with the gpo name that is empty that way you will at least know what the gpo security descriptor belongs to.